From 00862344f708a5057e3bf8ba79f2dbd79d841ae2 Mon Sep 17 00:00:00 2001 From: "Sergio R. Caprile" Date: Wed, 3 Jul 2024 14:44:51 -0300 Subject: [PATCH] fix stack trashing --- mongoose.c | 7 ++++++- src/tls_builtin.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/mongoose.c b/mongoose.c index e8006f3b..f88bc8a6 100644 --- a/mongoose.c +++ b/mongoose.c @@ -9886,9 +9886,14 @@ static int mg_tls_recv_record(struct mg_connection *c) { nonce[10] ^= (uint8_t) ((seq >> 8) & 255U); nonce[11] ^= (uint8_t) ((seq) & 255U); #if CHACHA20 - uint8_t dec[8192]; + uint8_t *dec = (uint8_t *) malloc(msgsz); + if (dec == NULL) { + mg_error(c, "TLS OOM"); + return -1; + } size_t n = mg_chacha20_poly1305_decrypt(dec, key, nonce, msg, msgsz); memmove(msg, dec, n); + free(dec); #else mg_aes_gcm_decrypt(msg, msg, msgsz - 16, key, 16, nonce, sizeof(nonce)); #endif diff --git a/src/tls_builtin.c b/src/tls_builtin.c index 920f9273..fcde4191 100644 --- a/src/tls_builtin.c +++ b/src/tls_builtin.c @@ -456,9 +456,14 @@ static int mg_tls_recv_record(struct mg_connection *c) { nonce[10] ^= (uint8_t) ((seq >> 8) & 255U); nonce[11] ^= (uint8_t) ((seq) & 255U); #if CHACHA20 - uint8_t dec[8192]; + uint8_t *dec = (uint8_t *) malloc(msgsz); + if (dec == NULL) { + mg_error(c, "TLS OOM"); + return -1; + } size_t n = mg_chacha20_poly1305_decrypt(dec, key, nonce, msg, msgsz); memmove(msg, dec, n); + free(dec); #else mg_aes_gcm_decrypt(msg, msg, msgsz - 16, key, 16, nonce, sizeof(nonce)); #endif